I thought that each mode <protect>, <restrict> and <shutdown> are suppose to disregard offending mac-address's traffic to the incoming switch port. I'm only able to get <shutdown> to stop offending traffic from reaching the layer 3 Vlan1 address of my switch.

When I use protect, nothing happens.. I'm able to SSH into the switches Vlan1 management IP interface successfullyWhen I use Restrict I receive SNMP for the violation, the counter increments but I'm still able to SSH into the switch Shutdown works as expected..

What gives? I thought the offending mac-address traffic were suppose to be dropped..

I don't remember needing to know this for the CCNA, but I'm definitely studying this for the CCNP Switch. Interesting question. So we see a security violation count increasing. Can you do more than just reach the management interface? Can you actually log in and make changes?

I have 3 switches. 2950, 2950g and 3550. I only tried this on my 2950si, it was 11:30pm. The IOS version is 12.1(22)xx, I thought it might just be something I over looked.. I'll test it out on the other 2 switches when I get a little time this evening.

Last edited by scottsee on Tue Nov 30, 2010 1:19 pm, edited 1 time in total.

Tip: If an interface is undergoing the restrict or protect condition, you might need to clearthe learned MAC addresses so that a specific host can use the switch port. You can clear aMAC address or the complete port cache with the following command:Switch# clear port-security dynamic [address mac-addr | interface type mod/num]

Yeah, so I figured maybe it was a problem with the mac-address table so I unplugged my cat6 cable from the switch, turned it on configured port security without the switch ever learning a dynamic MAC from my NIC and issue still occurs.

I tried the following command to flush any dynamic MAC but it didn't stop the offending frames from entering the Vlan1 interface..

Yep. I turned on another switch and trunked a link between the two. Communication to the VLAN management interface is successful even though port-security is configured on the switch, but it will not process frames designated to any other ip address. ICMP ping and Telnet session requests from my desktop to the 2nd switched failed every time while the port-security counters increase as expect. Essentially doing the job that it should. When I turned off port-security on the offending f/01 port layer 3 communication goes back to normal and I'm able to reach my second switch.

Interesting..

Last edited by scottsee on Tue Nov 30, 2010 1:17 pm, edited 3 times in total.